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A String Representation of LDAP Search Filters 
Status of this Memo 


This document specifies an Internet standards track protocol for the 
Internet community, and requests discussion and suggestions for 


improvements. Please refer to the current edition of the "Internet 
Official Protocol Standards" (STD 1) for the standardization state 
and status of this protocol. Distribution of this memo is unlimited. 


1. Abstract 


The Lightweight Directory Access Protocol (LDAP) [1] defines a 
network representation of a search filter transmitted to an LDAP 
server. Some applications may find it useful to have a common way of 
representing these search filters in a human-readable form. This 
document defines a human-readable string format for representing LDAP 
search filters. 


2. LDAP Search Filter Definition 


An LDAP search filter is defined in [1] as follows: 


Filter ::= CHOICE { 
and [0] SET OF Filter, 
or [1] SET OF Filter, 
not [2] Filter, 
equalityMatch [3] AttributeValueAssertion, 
substrings [4] SubstringFilter, 
greaterOrEqual [5] AttributeValueAssertion, 
lessOrEqual [6] AttributeValueAssertion, 
present [7] AttributeType, 
approxMatch [8] AttributeValueAssertion 
} 
SubstringFilter ::= SEQUENCE { 
type AttributeType, 
SEQUENCE OF CHOICE { 
initial [0] LDAPString, 
any [1] LDAPString, 
final [2] LDAPString 
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AttributeValueAssertion ::= SEQUENCE { 
attributeType AttributeType, 
attributeValue AttributeValue 

} 


AttributeType ::= LDAPString 
AttributeValue ::= OCTET STRING 
LDAPString ::= OCTET STRING 


where the LDAPString above is limited to the IA5 character set. The 
AttributeType is a string representation of the attribute type name 
and is defined in [1]. The AttributeValue OCTET STRING has the form 
defined in [2]. The Filter is encoded for transmission over a 
network using the Basic Encoding Rules defined in [3], with 
simplifications described in [1]. 


3. String Search Filter Definition 


The string representation of an LDAP search filter is defined by the 


following grammar. It uses a prefix format. 
<filter> ::= ’(’ <filtercomp> ’)’ 
<filtercomp> ::= <and> | <or> | <not> | <item> 
<and> ::= ’&’ <filterlist> 
<or> ::= sal eg <filterlist> 
<not> ::= l” <filter> 
<filterlist> ::= <filter> | <filter> <filterlist> 
<item> ::= <simple> | <present> | <substring> 
<simple> ::= <attr> <filtertype> <value> 
<filtertype> ::= <equal> | <approx> | <greater> | <less> 
<equal> ::= ’=' 
<approx> ::= "7s! 
<greater> ::= '>=" 
<less> :i= '<=’ 
<present> ::= <attr> ’=*’ 
<substring> ::= <attr> '’="’ <initial> <any> <final> 
<initial> ::= NULL | <value> 
<any> ::= ’*'’ <starval> 
<starval> ::= NULL | <value> ’*’ <starval> 
<final> ::= NULL | <value> 


<attr> is a string representing an AttributeType, and has the format 
defined in [1]. <value> is a string representing an AttributeValue, 
or part of one, and has the form defined in [2]. If a <value> must 
contain one of the characters ’*’ or ’(’ or ’)’, these characters 
should be escaped by preceding them with the backslash ’\’ character. 
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Note that although both the <substring> and <present> productions can 
produce the ’attr=*’ construct, this construct is used only to denote 
a presence filter. 


4. Examples 


This section gives a few examples of search filters written using 
this notation. 


(cn=Babs Jensen) 
(! (cn=Tim Howes) ) 
(& (objectClass=Person) (| (sn=Jensen) (cn=Babs J*))) 
(o=univ*of*mich*) 
5. Security Considerations 
Security considerations are not discussed in this memo. 
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